enterprise security perception and the “house of security” september 6, 2006 professor stuart...

Enterprise Security Perception and the

“House of Security” September 6, 2006

Professor Stuart Madnick {[email protected]}

Sloan School of ManagementMassachusetts Institute of Technology

Cambridge, MA Updated as of 10 Sep 2006© MIT, 2006

Copyright © 2006, MIT 2

Differing Perceptions

Picture of old lady or young lady ?

Perceptions are as important as “reality”(maybe more important)


Good SecurityGood Security provides Accessibility to data

and networks to appropriate users while simultaneously protecting Confidentiality of data and minimizing Vulnerabilities to attacks and threats.

Good Security Practice goes beyond technical IT solutions. It is driven by a Business Strategy with associated Security Policies and Procedures implemented in a Culture of Security. These practices are supported by IT Resources and Financial Resources dedicated to Security.


Security Constructs: “House of Security”

TechnologyResources

For Security

FinancialResources

ForSecurity

Business Strategy

ForSecurity

SecurityPolicy &

Procedures

SecurityCulture

Accessibility Confidentiality

Vulnerability

Assessment Perceptions: ExamplesWho gives lowest “assessment” of these security constructs? Executives Line Managers Professionals

Which is given highest “assessment” of the constructs? Own company? “Partner” company? About same?


Purpose of Gap Analysis Gap Analysis is to understand Differences in Perceptions between:

(A) Security Status Assessment and Security Importance

(B) Views of diverse Security Stakeholders …within and across the Enterprise

Types of Gaps (examples)

Performance Gaps: Current Status v. Importance

Role Gaps: Business Managers v. IT staff

Rank Gaps: Executive v. Line Manager


Purpose of Gap Analysis (cont.)

Gaps represent Opportunities for Improvement within the Enterprise and across the Extended Enterprise

(A) When Status is below the Needs, • Represent Areas for Improvement

(B) When Status among Stakeholders show differences, these represent areas for Investigating sources of the differences• Gaps may represent misunderstandings• Gaps may represent differences in local

knowledge and needs


Gap Analysis Questionnaire

1. Questionnaire respondents are:• Diverse roles (e.g., IT, non-IT)• Diverse ranks (e.g., Line managers,

Executives)• Diverse companies and industries

2. Each respondent reports his/her view of

actual assessment and importance of

each question for both his/her

organization and a partner organization.


Example Security Questions


Evaluating Statistical Significance

“My organization” Gaps: significant @ 99.98%

Partner Gaps: significant @ 99.97%

Statistically Significant Instrument for Measuring Components of Security Perceptions


Example Gap Analysis Findings – Different

Organizations

MA = Assessment of “My” organization (5.1)

MI = Importance for “My” organization (6.3)

Gap = difference between Assessment and Importance – for “My” organization (1.2)

Question 33: People are aware of good security practices.

MA Gap

MI

Observation: Big differences between companies.4 5 6 7

C om p I

C om p W

C om p X

M isc.

O verall

4 5 6 7

C om p I

C om p W

C om p X

M isc.

O verall4 5 6 7

C o m p I

C o m p W

C o m p X

M isc .

O v e r a l l


5.14 0.45

5.07 0.74

4.5 5 5.5 6

My Partner

My Org

Example Gap Analysis Findings – Compared with Partner

Organization

Gap between Assessment and Importance – for “My” organization

Overall gap = 0.74

Gap between Assessment and Importance – for “Partner” organization

Overall gap = 0.45

Question 33: People are aware of good security practices.

General conclusion: - View partner as slightly “better” (5.14 v 5.07)

- But it is also much “less important” (5.59 v 5.81)

-> So Gap is much less (0.45 partner v 0.74 “my Organization”)

MA Gap

MI

PA

PI

Gap


Dimensions of Security

TechnologyResources

For Security

FinancialResources

ForSecurity

Business Strategy

ForSecurity

SecurityPolicy &

Procedures

SecurityCulture

Accessibility Confidentiality

Vulnerability

“House of Security”


Analysis of Construct Reliability and ValidityReliability - Cronbach's Alpha Values

MA MIAccessibility 0.90758 0.93701Vulnerability 0.83714 0.91012Confidentiality 0.91808 0.94026FinancialResources 0.91878 0.92768ITResources 0.91023 0.93680BusinessStrategy 0.86877 0.89343SecurityPolicy 0.92184 0.93834SecurityCulture 0.92188 0.94296

For good reliability, want Cronbach's Alpha Values to be >0.6, better if >0.7

Construct Validity - Convergent and Discriminant Validity

Accessibility Vulnerability ConfidentialityFinancial

ResourcesITResources

Business Strategy

Security Policy

Security Culture

Accessibility 0.96606 0.82730 0.86289 0.72385 0.81193 0.75817 0.75993 0.77299Vulnerability 0.82730 0.89537 0.85986 0.83791 0.88582 0.83439 0.85439 0.83308Confidentiality 0.86289 0.85986 0.97320 0.79234 0.86494 0.83070 0.85867 0.85271FinancialResources 0.72385 0.83791 0.79234 0.97366 0.88814 0.86196 0.86675 0.84406ITResources 0.81193 0.88582 0.86494 0.88814 0.96623 0.84474 0.87556 0.85137BusinessStrategy 0.75817 0.83439 0.83070 0.86196 0.84474 0.93056 0.88216 0.85515SecurityPolicy 0.75993 0.85439 0.85867 0.86675 0.87556 0.88216 0.97341 0.84505SecurityCulture 0.77299 0.83308 0.85271 0.84406 0.85137 0.85515 0.84505 0.96241

For good Convergent Validity, want diagonals >0.50For good Discriminant Validity, want all values in columns of each construct to be lower than the diagonals.

Reliability = produces consistent results

Validity = components are more correlated with others of that construct than another construct

- Convergent Validity – form a single construct- Discriminant Validity – not of another construct

Statistically Reliable & Valid Instrument for Measuring Perceptions of Security Constructs


4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI

Average Construct Values

Observation: ‘My’ assessment = similar to assessment of Partner

My importance (MI)

My Assessment (MA)

Partner Assessment (PA)

‘My’ assessment: - Accessibility, Confidentiality highest - Culture, Policy, Financial, Strategy lowest

Partner importance (PI)

Observation: ‘My’ importance > importance of Partner


0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

|MI-MA|

|PA-MA|

|PI-MI|

|PI-PA|

Construct Gaps: Absolute Values

Largest Gap = .82 Smallest Gap = .33

Security Culture is a Major Concern

“My” GapBetweenAssessment &Importance

Partner Gap

Gap between“My” & Partner Importance

Gap between“My” & Partner Assessment(almost the same)


Security Culture Questions• Security Practices

– In the organization, people are aware of good security practices. [q33; gap=.78]

– People in the organization are knowledgeable about IT security tools and practices. [q08; gap=.82]

– People in the organization carefully follow good security practices. [q14; gap=1.08] Largest gap!

• Ethics and Trust– People in the organization can be trusted not to

tamper with data and networks. [q21; gap=.69] – People in the organization can be trusted to engage in

ethical practices with data and networks. [q26; gap=.74]


Company Assessment: Values

[194]

Observation: Some similarities.But many differences.

6 companies

Average ofAll respondents


Company Assessment: Gaps

Small gaps:

Why are these guys so “happy”?

Large gaps: And these “not”?

[194]

- Can Benchmark Your Company Against “Average”- Can Monitor Changes in Your Company Over Time

Average


A Closer Look

• Rank Gaps:

– e.g. Executives v. Professionals

• Role Gaps:

– e.g. Business Managers v. IT staff

• Industry Gaps:

– e.g. Healthcare v. Banking


Executives have lowest assessment of security in general

Average Construct Values(MA by Roles)

4.5

5.0

5.5

6.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

Executives

Managers

Professionals

Customer Service

Others

Average Construct Values(MA by Ranks)


Construct Gaps Absolute Values(MI-MA by Roles)

0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

Executives

Managers

Professionals

Customer Service

Others

Gaps Average 60% Greater for Executives

Executives

All Others

Construct Gaps(MI-MA by Ranks)


4.5

5.0

5.5

6.0

6.5Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

Business Security PolicyIT SecurityIT, Not SecurityGeneral / Physical SecurityNot Security or IT

Those ‘Not in Security or IT’ Perceive Security as Less Important

Average Construct Values:Importance (MI by Roles)

Not in Security or IT

Various IT and Security Roles


0.0

0.2

0.4

0.6

0.8

1.0

1.2Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

Business Security Policy

IT Security

IT, Not Security

General / Physical Security

Not Security or IT

But Even Those ‘Not in Security or IT’ Still Perceive Significant Security Gaps

Construct Gaps(MI-MA by Roles)


My Assessment of Security by Industry

4.4

4.6

4.8

5.0

5.2

5.4

5.6

5.8

6.0

6.2

6.4

Accessibility Vulnerability Confidentiality FinancialResources

IT Resources BusinessStrategy

Security Policy Security Culture

Security Constructs

As

se

ss

men

t R

ati

ng

Banking & Finance Tele/Communication Health & Social Assistance Manufacturing Retail Technology Services

Healthcare

Retail

Manufacturing

Healthcare, Retail, and Manufacturing are Industries with Lowest Construct Assessments


Security Gaps by Industry

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9



Security Policy Security Culture

Security Constructs

Co

ns

tru

ct G

aps

|MA

-MI|

Banking & Finance Tele/Communication Health & Social Assistance Manufacturing Retail Technology Services

Manufacturing

Healthcare

TechServices

Healthcare, Tech Services, and Manufacturing are Industries with Largest Gaps


Gaps in Banking & Finance

5

5.2

5.4

5.6

5.8

6

6.2

Acces

sibilit

y

Vulner

abilit

y

Confiden

tiality

Financia

l Res

ourc

es

IT R

esour

ces

Busin

ess S

trate

gy

Securit

y Polic

y

Securit

y Cult

ure

Level of desired security

Level of current security practices

Gap in this industry

Even the Banking & Finance Industry has Sizable Gaps


Summary of Key Findings1. Statistical instrument for measuring

perceptions of security– Can use to benchmark your company– Can monitor changes over time

2. ‘Security Culture’ is a major concern– Needs to be explicitly addressed

3. Healthcare, Retail, and Manufacturing have low assessments and sizable gaps

– Certain industries to focus on … but all need4. Executives have lowest assessments of

security and largest gaps5. Those ‘not Security or IT’ perceive security

less important, but still sizable gaps– Opportunity/need for communication


“How Good is your Security?”

More analysis still underway

Stuart Madnick; T 617-253-6671; E-mail: [email protected] Summary: http://ebusiness.mit.edu/research/Briefs/Madnick_Siegel_Security_Brief.pdfTSQM Survey: http://web.mit.edu/surveys/tsqm/

It is well known in Consumer Behavior Research that

Perception Is Reality

• Your behavior is based on your perceptions

• We have combined that notion with the discipline of statistics to advance our understanding of Security


Next steps:1. Larger-scale Gap Analysis Study

– More individual participants– More company-specific participation

2. Understand Reasons for Differences– More details on the “why?” and “so what?”– Detailed company-specific case studies

3. Determine Prescriptive actions– More education (what & how best?)– More security in specific areas– More appropriate security & training– Etc …


FACULTY

• Yang Lee

• Stuart Madnick

• Michael Siegel

• Diane Strong

• Richard Wang

• Chrisy Yao

STUDENTS

• Wee Horng Ang

• Vicki Deng

• Desiree Rap

• Dinsha Mistree

• Venkataramana Thummisi

Acknowledgement:MIT TEAM


Extra Slides


4.0

4.5

5.0

5.5

6.0

6.5



SecurityPolicy

SecurityCulture

Security Construct

Ass

ess

me

nt

1-100

100-1K

1K-10K

10K-50K

50K-100K

100K +

Average Construct ValuesAssessment (MA by Company Size)

No. of Employees

Small Companies (1-100 and 100-1K)

Large Enterprises (100K+)

In general, theLarger the company,The Higher the Assessments


4.0

4.5

5.0

5.5

6.0

6.5



SecurityPolicy

SecurityCulture

Security Construct

Ass

ess

me

nt

1-100

100-1K

1K-10K

10K-50K

50K-100K

100K +

Small Companies (1-100 and 100-1K)

Large Enterprises (100K+)

In general, theLarger the company,The Higher the Importance

Average Construct ValuesImportance (MI by Company Size)

No. of Employees

But, Mid-sized companies(1-10K & 10-50K) also hadHigh Importance levels


0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0



SecurityPolicy

SecurityCulture

Security Construct

Ass

ess

me

nt

1-100

100-1K

1K-10K

10K-50K

50K-100K

100K +

But, Mid-Sized companies (1-10K &10-50K) also had large gapsLarge Enterprises

(100K+) lowest gaps

In general, theLarger the company,The Smaller the gaps

Small Companies (1-100 and 100-1K) large gaps

Construct Gaps(MI-MA by Company Size)

No. of Employees


Vulnerability• [q01] The organization’s data and networks are rarely tampered

with by unauthorized access.• [q05] The organization has adequate safe guards against

internal and external threats to its data and networks. • [q19] The organization improves its security by learning from

previous attacks on its data and networks. • [q31] The organization has a rapid response team ready for

action when attacks occur.

Accessibility• [q04] The organization checks the identity of users before

allowing access to data and networks.• [q11] The organization’s data and networks are only available to

approved users.• [q30] The organization provides access to data and networks to

legitimate users.• [q34] The organization’s data and networks are usually available

when needed.


Confidentiality• [q12] The organization has adequate policies for when and how

data can be shared.• [q18] The organization has adequate policies about user

identifications, passwords, and access privileges. • [q20] The organization protects privacy of personal data (for

example, customer data, data about employees)• [q32] The organization provides good protection of confidential

corporate data.

IT Resources• [q03] The organization has enough IT security specialists to

cover its security needs.• [q10] In the organization, the IT group takes security seriously.• [q13] The organization has adequate technology for supporting

security.• [q17] The organization uses its IT security resources effectively

to improve security.


Financial Resources• [q09] In the organization, security funds are appropriately

distributed based on needs. • [q16] Security is a funding priority in the organization.• [q23] The organization has enough security personnel to cover

its security needs.• [q28] The organization makes good use of available funds for

security.

Business Strategy• [q02] The organization’s security strategy sets direction for its security

practices.• [q22] Security is a business agenda item for top executives in the

organization.• [q27] In the organization, business managers help set the security

strategy.• [q29] The organization’s security strategy is well-publicized in the

organization.


Security Policy• [q07] The organization has policies for regularly scheduled security

audits.• [q15] The organization has a well-defined and communicated

security strategy. • [q24] The organization has well-defined policies and procedures for

data and network security. • [q25] The organization has procedures for detecting and punishing

security violations.

Security Culture• [q08] People in the organization are knowledgeable about IT security

tools and practices.• [q14] People in the organization carefully follow good security practices.• [q21] People in the organization can be trusted not to tamper with data

and networks.• [q26] People in the organization can be trusted to engage in ethical

practices with data and networks. • [q33] In the organization, people are aware of good security practices.

enterprise security perception and the “house of security” september 6, 2006 professor stuart...

Documents

good security good security

security constructs

culture of security

security status assessment

security financial resources

security business strategy

enterprise security

example security questions